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1. (Amended) A method for updating a first version of 
an intrusion detection program operating at a network site, 
comprising : 

in response to an automated event, automatically 

dovmloading from a remote sit^ any update for the intrusion 

detection programs- 
installing a downloaded iij^dat^ to generate a second 

version of the intrusion detectionX program; and 

operating the second version \of the intrusion detection 

program in place of the first version at the network site. 



2 . The method ^o[l 
is a timed event 




im 1, wherein the automated event 



3 . (Amended) A method for updating a first version of 

a program operating at a network sate, comprising: 
aging the first version of thA programs- 
automat ically downloading f rom\ a remote site any update 

for the program in response to thq^f%:st version reaching a 

specified ages- 
installing a downloaded updat^s.\i^>^ generate a second 

version of the program; and 

operating the second version of th\ program in place of 

the first version at the network site. 



4. The method of Claim 3, ^vjjk^ein the specified age is 
less than or equal to twent^-j6<5ur hours. 




5. The metho^i^df^ Claim 2, wherein the timed event 
occurs at least >0fice a day. 
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6. (Amended) The n|ethod of Claim 1, the act of 
automatically downloading frcim the remote site any update for 
the intrusion detection program comprising: 

automatically connecting \to the remote site in response 
to the automated event; 

automatically determin^ngv ywhether the .remote site 
includes an update for the intrusion detection program; and 

in response to the remota site including an update, 
automatically downloading the upda\te from the remote site, 



7. The .method of Claij^R^ 1, further comprising 
downloading the update in ap^ncrypted format and decrypting 
the downloaded update wr/jj^^jr to installation. 



8. The j3Ftethod of Claim 1, further comprising 
authenticatisl^ the downloaded update prior to installation. 



(Amended) A methodX f or updating a first version of 



program operating at a netwoAk site, comprising: 

in response to an ai\tomated event, automatically 
downloading from a remote site a^iy update for the program; 

installing a downloaded i\pdate to generate a second 
version of the program; 

after installation of the d<dwnloaded update, determining 
whether the second version of \ the program is operating 
correctly; 

in response to correct operation of the second version, 
operating the second version of the program in place of the 
first version at the network site; ant 

in response to incorrect operation of the second version, 
restoring the first version of the p\:ogram for operation at 
the network site. 
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(Amended) A method 



for updating a first version of 
a program operating at a netwotk site, comprising: 

in response to an c.utomated event, automatically 
downloading from a remote site any update for the program; 

installing a downloaded update to generate a second 
version of the program; and 

operating the second verision of the program in place of 
the first version at the network site; 

distributing the downloaded update to a disparate network 
site operating the first version of the program; 



installing the downloaded 



version of the program at the disparate network site; and 



operating the second vers 



update to generate the second 



Lon of the program in place of 



the first version at the disparate network site, 



11. (Amended) A method f^r updating a first version of 
a program operating at a network! site, comprising: 

in response to an automated event, automatically 
downloading from a remote site a^y update for the program; 

installing a downloaded update to generate a second 
version of the program; 

after installation of the downloaded update, determining 
whether the second version of \ the program is operating 
correctly at the network site; 

in response to incorrect operation of the second version, 
restoring the first version of th)p program for operation at 
the network site; and 

in response to correct operatic^ of the second version at 
the network site: 

distributing the downloaded update to a disparate 
network site operating the first versipn of the program; 
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installing the downloaded update to generate the 
second version of the program at the disparate network site; 
^ and 

operating the second version of the program in place 
of the first version at the disparate network site. 
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(Amended) A method for updating a first version of 



a program operating at a network 



site, comprising: 



site; 

n update message; 



in response to an automated event, automatically 
downloading from a remote site aiiy update for the program; 

installing a downloaded update to generate a second 
version of the program; and 

operating the second versioja of the program in place of 
the first version at the network 
broadcasting over a network 
receiving in response to thel update message a request for 
the downloaded update from each lof a plurality of disparate 
network sites operating the first Version of the program; 

distributing the downloaded! update to the disparate 
network sites requesting the downloaded update; 

installing the downloaded update to generate the second 
version of the program at each of t^he disparate network sites; 
and 

operating the second version 
the first version at each of the di, 



of the program in place of 
parate network sites. 



! 



13. The method of Clairn^3r2, further comprising: 
receiving a recoverj^_^^vent at one of the network sites; 
automatically reS^or^JJ^ the first version of the program 
at the network sit^ atl which the recovery event was received; 

broadcast;irfig a recovery message from the network site 
over the n^^work; and 
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automatically restoring the first version of the prograr 
at each of the remaining network sites operating the seQ<^d 
version of the program. 



14. The method of Claim 1, wherein the progi?am is a set 
of intrusion detection signatures for an intrusion detection 
sensor. -. 



15. A method for uj&dating a first version of a program 

A 



operating at a network sit 

in response to an 
downloading from an Inte 
program; 

installing a downloa 
version of the program; an^ 

operating the second V^^sioi^ of the program in place of 
the first version at the network siVe 



comprising: 

automat,^d event, automatically 
wej? page any update for the 

5date to generate a second 



16. A method /for automatically updating an intrusion 
detection system ]?iaving a plurality of distributed intrusion 
detection sensor^ each operating with a first set of intrusion 
detection sign^ures, comprising: 

m re^onse to a specified event, automatically 
downloading/ from a remote site any update for the intrusion 
detection/ signatures ; 

distributing a downloaded update to each sensor; 
mstalling the downloaded update to generate a second set 
of ji^titrusion detection signatures for each sensor; and 

operating each sensor with the second set of intrusion 
ietection signatures . 
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17. The method of Claim 16, wherein the specified/event 
is a timed event. y 

18. The method of Claim 17, further comprising: 

aging the first set of intrusion deteotion signatures; 
and / 

wherein the timed event is the fi^st set of intrusion 
detection signatures reaching a specif iefa age. 

19. The method of Claim 18, wherein the specified age is 
less than or equal to twenty-f our /hours . 

20. The method of Claim 17, wherein the timed event 
occurs at least once a dav. / 

21. The method obY CxL^im 16, the act of automatically 
downloading from the remote site any update for the program 
comprising: / \ 

automatically csonnecting to the remote site in response 
to the timed event/ 

automat icalw determining whether the remote site 
includes an update for the intrusion detection signatures; and 

in response to the remote site including an update, 
automatically downloading the update from the remote site. 

22. /An intrusion detection system, comprising: 

a /private network including a plurality of sites 
connectzed to a public network, each site including an 
intrusion detection sensor operating with a first set of 
int^msion detection signatures; and 

/ each of the intrusion detection sensors operable to 
automatically download from a remote site any update for the 
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intrusion detection signatures in response to a specified 
event, to install a downloaded updat^ to generate a second set 
of intrusion detection signature^K'^ to operate with the second 
set of intrusion detection s^j^gnatures , and to distribute the 
downloaded update to th^- r^aining intrusion detection sensors 
for installation. 

23. The syst,^ Vof Claim 22, wherein the specified event 
is an automated yevent . 

24. The system of Claim 23, wherein the automated event 
is a timi^d event . 




25. (New) The method 
detection signatures compr 
that indicate unauthorized 




14 wherein the intrusion 
ferns of network activity 



■|^^\^ ^^^^^^^^ (New) The method of Claim 13 wherein the recovery 
event occijxs in response to incorrect operation of the 
intrusion dete^s^ion program. 
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